| English | 中文 |
|---|---|
| 📗 English Docs · Pick path · Getting Started · Architecture · Env Reference · Contributing | 📘 中文文档 · 选择路径 · 入门指南 · 架构说明 · 环境变量 · 贡献指南 |
One repository ships several entry points. Each row links to the English hub; 中文 is linked at the top of that page if you prefer it.
| Goal | First stop |
|---|---|
| Desktop GUI — local assistant, skills, optional IDE layout | Path 1 — Desktop |
| Sandbox / MCP — isolated skills in Cursor, OpenCode, or your own stack | Path 2 — Sandbox & MCP |
Full stack — skilllite CLI, Python SDK, evolution |
Path 3 — Full stack |
A lightweight secure Self-evolution engine built in Rust, featuring a built-in native system-level sandbox, zero dependencies, and fully local execution.
We built the most secure skill sandbox in the ecosystem (20/20 security score). Then we realized: the real value isn't just safe execution — it's safe evolution.
[
]

┌──────────────────────────────────────────────────────────────┐
│ Self-Evolving Engine(自进化引擎) │
│ │
│ Immutable Core (compiled into binary, never self-modifies) │
│ ├─ Agent loop, LLM orchestration, tool execution │
│ ├─ Config, metadata, path validation │
│ └─ Evolution engine: feedback → reflect → evolve → verify │
│ │
│ Evolvable Data (local files, auto-improves over use) │
│ ├─ Prompts — system / planning / execution prompts │
│ ├─ Memory — task patterns, tool effects, failure lessons │
│ └─ Skills — auto-generated skills from repeated patterns │
│ ▼ │
│ all evolved artifacts must pass ▼ │
├──────────────────────────────────────────────────────────────┤
│ Security Sandbox(安全沙箱) │
│ │
│ Full-chain defense across the entire skill lifecycle: │
│ ├─ Install-time: static scan + LLM analysis + supply-chain │
│ ├─ Pre-execution: two-phase confirm + integrity check │
│ └─ Runtime: OS-native isolation (Seatbelt / bwrap / seccomp)│
│ ├─ Process-exec whitelist, FS / network / IPC lockdown │
│ └─ Resource limits (CPU / mem / fork / fsize) │
└──────────────────────────────────────────────────────────────┘
Why two layers, not one? Evolution without safety is reckless — evolved skills could exfiltrate data or consume unbounded resources. Safety without evolution is static — the Agent never improves. SkillLite welds them together: the evolution engine produces new prompts, memory, and skills; the sandbox layer ensures every evolved artifact passes L3 security scanning + OS-level isolation before execution. Evolution is auditable, rollbackable, and never modifies the core binary.
| skilllite (Evolution) | skilllite-sandbox (lightweight) | |
|---|---|---|
| Binary size | ~6.2 MB | ~3.6 MB |
| Startup RSS | ~4 MB | ~3.9 MB |
| Agent mode RSS (chat / agent-rpc) | ~11 MB | — |
| Sandbox execution RSS | ~11 MB | ~10 MB |
Measured on macOS ARM64, release build. Sandbox RSS is dominated by the embedded Python process.
Use the full stack or just the sandbox:
skilllitegives you evolution + agent + sandbox.skilllite-sandboxis a standalone binary (or MCP server) that any agent framework can adopt — no need to buy into the full SkillLite stack.
Many products now advertise self-adapting or self-evolving agents. SkillLite’s stance is narrower and easier to keep accurate over time: prompts, memory, and skills may evolve, but they stay behind the same immutable core and full-chain sandbox as everything else — install-time scan, pre-execution gates, OS-level isolation, and governance (thresholds, backlog, rollback). Evolved artifacts are not exempt: they pass the same L3 checks + sandbox as manually installed skills.
Most sandbox solutions only provide runtime isolation. SkillLite defends across the entire skill lifecycle — three layers in a single binary:
┌─────────────────────────────────────────────────┐
│ Layer 1 — Install-time Scanning │
│ ├─ Static rule scan (regex pattern matching) │
│ ├─ LLM-assisted analysis (suspicious → confirm) │
│ └─ Supply-chain audit (PyPI / OSV vuln DB) │
├─────────────────────────────────────────────────┤
│ Layer 2 — Pre-execution Authorization │
│ ├─ Two-phase confirm (scan → user OK → run) │
│ └─ Integrity check (hash tamper detection) │
├─────────────────────────────────────────────────┤
│ Layer 3 — Runtime Sandbox │
│ ├─ OS-native isolation (Seatbelt / bwrap) │
│ ├─ Process-exec whitelist (interpreter only) │
│ ├─ Filesystem / network / IPC lockdown │
│ └─ Resource limits (rlimit CPU/mem/fork/fsize) │
└─────────────────────────────────────────────────┘
| Capability | SkillLite | E2B | Docker | Claude SRT | Pyodide |
|---|---|---|---|---|---|
| Install-time scanning | ✅ | — | — | — | — |
| Static code analysis | ✅ | — | — | — | — |
| Supply-chain audit | ✅ | — | — | — | — |
| Process-exec whitelist | ✅ | — | — | — | — |
| IPC / kernel lockdown | ✅ | — | — | — | — |
| Filesystem isolation | ✅ | partial | partial | partial | ✅ |
| Network isolation | ✅ | ✅ | — | ✅ | ✅ |
| Resource limits | ✅ | ✅ | partial | partial | partial |
| Runtime sandbox | ✅ | ✅ | ✅ | ✅ | ✅ |
| Zero-dependency install | ✅ | — | — | — | — |
| Offline capable | ✅ | — | partial | ✅ | ✅ |
| Platform | Blocked | Score |
|---|---|---|
| SkillLite (Level 3) | 20/20 | 100% |
| Pyodide | 7/20 | 35% |
| Claude SRT | 7.5/20 | 37.5% |
| Docker (default) | 2/20 | 10% |
Full 20-item security test breakdown
| Test Item | SkillLite | Docker | Pyodide | Claude SRT |
|---|---|---|---|---|
| File System | ||||
| Read /etc/passwd | ✅ Blocked | ❌ Allowed | ✅ Blocked | ❌ Allowed |
| Read SSH private key | ✅ Blocked | ✅ Blocked | ✅ Blocked | ✅ Blocked |
| Write to /tmp dir | ✅ Blocked | ❌ Allowed | ❌ Allowed | ✅ Blocked |
| Directory traversal | ✅ Blocked | ❌ Allowed | ✅ Blocked | ❌ Allowed |
| List root directory | ✅ Blocked | ❌ Allowed | ❌ Allowed | ❌ Allowed |
| Network | ||||
| Send HTTP request | ✅ Blocked | ❌ Allowed | ✅ Blocked | ✅ Blocked |
| DNS query | ✅ Blocked | ❌ Allowed | ❌ Allowed | ✅ Blocked |
| Listen port | ✅ Blocked | ❌ Allowed | ❌ Allowed | ✅ Blocked |
| Process | ||||
| Execute os.system() | ✅ Blocked | ❌ Allowed | ❌ Allowed | ❌ Allowed |
| Execute subprocess | ✅ Blocked | ❌ Allowed | ✅ Blocked | ❌ Allowed |
| Enumerate processes | ✅ Blocked | ❌ Allowed | ❌ Allowed | ✅ Blocked |
| Send process signal | ✅ Blocked | ❌ Allowed | ✅ Blocked | ⚠️ Partially |
| Resource Limits | ||||
| Memory bomb | ✅ Blocked | ❌ Allowed | ❌ Allowed | ❌ Allowed |
| Fork bomb | ✅ Blocked | ❌ Allowed | ✅ Blocked | ❌ Allowed |
| CPU intensive compute | ✅ Blocked | ✅ Blocked | ❌ Allowed | ✅ Blocked |
| Code Injection | ||||
| Dynamic import os | ✅ Blocked | ❌ Allowed | ❌ Allowed | ❌ Allowed |
| Use eval/exec | ✅ Blocked | ❌ Allowed | ❌ Allowed | ❌ Allowed |
| Modify built-in funcs | ✅ Blocked | ❌ Allowed | ❌ Allowed | ❌ Allowed |
| Information Leakage | ||||
| Read environment vars | ✅ Blocked | ❌ Allowed | ❌ Allowed | ❌ Allowed |
| Get system info | ✅ Blocked | ❌ Allowed | ❌ Allowed | ❌ Allowed |
# Reproduce: run security comparison tests
cd benchmark && python3 security_vs.py
| Dimension | SkillLite | Docker | Pyodide | SRT |
|---|---|---|---|---|
| Warm Start | 40 ms | 194 ms | 672 ms | 596 ms |
| Cold Start | 492 ms | 120s | ~5s | ~1s |
| Memory | ~10 MB | ~100 MB | ~50 MB | ~84 MB |
| Deployment | Single binary | Requires daemon | Requires Node.js | Requires installation |
3-5x faster execution, 10x lower memory footprint vs Docker/SRT.
Benchmarking standard: SkillLite avoids the MicroVM layer entirely for local code execution: no guest kernel, VM monitor, image, or sandbox service stack. Its focused no-Python sandbox launch benchmark runs at 111 ms avg / 113 ms P95 with ~1.14 MB child peak RSS. This is process RSS, not directly comparable to MicroVM VMM-overhead/PSS figures. Real Python skill execution is reported separately: ~40 ms warm, ~492 ms cold, and ~10 MB RSS.
Performance benchmark details & commands

The root benchmark/ results are primarily produced by Python scripts that exercise Python skill execution. For no-Python measurements, only the focused skilllite-sandbox launch-path microbenchmark is documented here to avoid mixing it with Python E2E results.
No-Python skilllite-sandbox launch-path data (/usr/bin/true, 200 iterations, macOS ARM64):
| Metric | Native Spawn | skilllite-sandbox |
Sandbox Overhead |
|---|---|---|---|
| Avg latency | 0.806 ms | 111.296 ms | +110.490 ms |
| P50 latency | 0.757 ms | 112.020 ms | +111.263 ms |
| P95 latency | 1.063 ms | 113.385 ms | +112.322 ms |
| Child peak RSS | 1.016 MB | 1.141 MB | +0.125 MB |
cd benchmark/
python benchmark_runner.py --compare-levels --compare-ipc -n 100 -c 10
# Cold start comparison
python benchmark_runner.py --cold-start --compare-ipc
# Full test: cold start + high concurrency
python benchmark_runner.py --cold-start --cold-iterations 20 --compare-levels --compare-ipc -o results.json
# Optional no-Python skilllite-sandbox launch-path microbenchmark
./run_benchmark.sh --core-only
See benchmark/README.md for full documentation.
In one sentence: Other agent frameworks are smart but unsafe, or safe but static. SkillLite is both — an Agent that gets measurably better over time, with every evolved artifact security-constrained by an OS-native sandbox.
$ claude mcp add skilllite \
-- python -m otcore.mcp_server <graph>